Global Research Syndicate
No Result
View All Result
  • Latest News
  • Consumer Research
  • Survey Research
  • Marketing Research
  • Industry Research
  • Data Collection
  • More
    • Data Analysis
    • Market Insights
  • Latest News
  • Consumer Research
  • Survey Research
  • Marketing Research
  • Industry Research
  • Data Collection
  • More
    • Data Analysis
    • Market Insights
No Result
View All Result
globalresearchsyndicate
No Result
View All Result
Home Data Collection

Password data for ~2.2 million users of currency and gaming sites dumped online

globalresearchsyndicate by globalresearchsyndicate
November 19, 2019
in Data Collection
0
Password data for ~2.2 million users of currency and gaming sites dumped online
0
SHARES
1
VIEWS
Share on FacebookShare on Twitter

A dump truck is on the verge of emptying its contents.

Password data and other personal information belonging to as many as 2.2 million users of two websites—one a cryptocurrency wallet service and the other a gaming bot provider—have been posted online, according to Troy Hunt, the security researcher behind the Have I Been Pwned breach notification service.

One haul includes personal information for as many as 1.4 million accounts from the GateHub cryptocurrency wallet service. The other contains data for about 800,000 accounts on RuneScape bot provider EpicBot. The databases include registered email addresses and passwords that were cryptographically hashed with bcrypt, a function that’s among the hardest to crack.

The person posting the 3.72GB Gateway database said it also includes two-factor authentication keys, mnemonic phrases, and wallet hashes, although GateHub officials said an investigation suggested wallet hashes were not accessed. The EpicBot database, meanwhile, purportedly included usernames and IP addresses. Hunt said he selected a representative sample of accounts from both databases to verify the authenticity of the data. All of the email addresses he checked were registered to accounts of the two sites.

Another indication that the data in the file belongs to GateHub account holders: this Twitter post. It came from Aashish Koirala, a self-described software developer who said he recently received a notification from the identity protection arm of consumer credit reporting service Experian. The advisory, Koirala said, notified him that “my credentials for @GateHub were found compromised on the Dark Web.”

@troyhunt Just got word from Experian’s IDNotify that my credentials for @GateHub were found compromised on the dark web. FYI in case you were getting any news about a GateHub breach or hack.

— Aashish Koirala (@aashishkoirala) November 14, 2019

While there were 2.2 million unique addresses in the two dumps, it’s possible that corresponding password hashes or other data isn’t included with each one.

Unauthorized access

The Gateway account data, which was posted to the RaidForums hacker site in late August, came three months after the cryptocurrency service reported that it had been hacked. The attackers, GateHub said, had stolen—or at least tried to steal—a wealth of sensitive information for more than 18,000 user accounts. The wording of the post left unclear exactly what data beyond access tokens was successfully obtained.

GateHub officials wrote:

As previously suggested in our investigation update, we believe the perpetrator gained unauthorized access to a database holding valid access tokens of our customers. Using these tokens the perpetrator accessed 18,473 encrypted customer accounts, a very small fraction of our total user base. On affected accounts, the following data was being targeted: email addresses, hashed passwords, hashed recovery keys, encrypted XRP ledger wallets secret keys (non-deleted wallets only), first names (if provided), last names (if provided).

GateHub’s disclosure went on to say that site officials notified users whose accounts were accessed and generated new encryption keys and re-encrypted sensitive information, such as ledger wallet secret keys.

The posting of the database means the breach that the wallet service disclosed in July was much bigger than previously thought. Rather than obtaining only access tokens, the attackers also took 2FA keys, email addresses, password hashes, mnemonic phrases, and possibly wallet hashes. What’s more, the breach affected as many as 1.4 million GateHub users, not just the 18,473 mentioned in the disclosure. In an email, an unnamed member of the GateHub security team wrote:

We are aware of a database posted on RaidForums whose author claims that it belongs to GateHub. The alleged GateHub database is being thoroughly examined by our team, therefore, we are unable to confirm its authenticity at this time. We will make sure to keep you posted of any updates.

From what we have gathered so far, it does not contain wallet hashes. As mentioned before, we are still verifying its authenticity.

One of our initial responses to the cyber attack was to introduce re-encryption to all GateHub accounts. With the new re-encryption, all GateHub accounts were re-encrypted and all of our customers had to change their passwords. This was introduced in July 2019.

The statement didn’t explain why the investigation has been unable to verify the authenticity of the data 25 days after it was posted and four months after it was first accessed. It was also unclear precisely what officials meant by “re-encrypted.”

“There are references to PGP [in the database],” Hunt told me. “There are what appear to be PGP encrypted strings. I’m not sure if that’s what they rotated. Are they talking about rotating cryptographic hashes, or are they talking about this section of PGP which is wallet related?”

Change passwords, mnemonic phrases, etc.

The EpicBot leak, meanwhile, was posted to Raid Forum on October 25, the same day as the GateHub dump. Hunt said it contains roughly 800,000 unique email addresses, along with usernames, IP addresses, and bcrypt-hashed passwords. EpicBot officials didn’t respond to requests to comment for this post. I couldn’t find any mention of a breach on the EpicBot website.

Both sites’ use of the bcrypt hashing function, assuming it was implemented correctly, is encouraging. Bcrypt is so compute-intensive that it would require years for even powerful graphic-card equipped clusters to crack all of the passwords. Of course, deploying bcrypt insecurely is easy. Programming errors made by the Ashley Madison cheaters’ website, for instance, made it trivial to crack more than 11 million of the 36 million bcrypt hashes leaked in the 2015 hack of the site.

The leaking of other types of personal information for what could be as many as 2.2 million accounts is less admirable, especially since there’s little evidence all affected users were notified in a timely fashion. EpicBot users should change their passwords as soon as possible. For GateHub users, a password reset isn’t required given the mandatory change done in July. But mnemonic phrases should be replaced, assuming they weren’t already.

To ward off the growing threat of credential stuffing attacks, users of both sites should also change passwords for any other sites that used the compromised credentials. Users should also be on the alert for spear phishing and other forms of attack that make use of their personal information.

READ ALSO

Data Of 3 Lakh Users Leaked From Indian Crypto Exchange BuyUCoin

Beauce Gold Fields Buys Missing Drill Logs Adding 344 Never Reported Drill Holes

Related Posts

Data Of 3 Lakh Users Leaked From Indian Crypto Exchange BuyUCoin
Data Collection

Data Of 3 Lakh Users Leaked From Indian Crypto Exchange BuyUCoin

January 21, 2021
Beauce Gold Fields Buys Missing Drill Logs Adding 344 Never Reported Drill Holes
Data Collection

Beauce Gold Fields Buys Missing Drill Logs Adding 344 Never Reported Drill Holes

January 21, 2021
Weekly Housing Trends View – Data Week December 12, 2020
Data Collection

Weekly Housing Trends View – Data Week January 16, 2021

January 21, 2021
8 Honest Pieces of Advice That Will Make You a Better Marketer
Data Collection

8 Honest Pieces of Advice That Will Make You a Better Marketer

January 21, 2021
Amid One Pandemic, Students Train for the Next
Data Collection

Amid One Pandemic, Students Train for the Next

January 21, 2021
Global Data Catalog Market Research Report Covers, Future Trends, Past, Present Data and Deep Analysis 2020-2026 – KSU
Data Collection

Global Data Catalog Market Research Report Covers, Future Trends, Past, Present Data and Deep Analysis 2020-2026 – KSU

January 21, 2021
Next Post
Global Leakage Current Tester Market Survey Report 2020 Along With Statistics Forecasts Till 2029

Global Leakage Current Tester Market Survey Report 2020 Along With Statistics Forecasts Till 2029

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

POPULAR NEWS

‘Vatican Blackout’ Trends on Twitter as Trigger-Happy Users Try to Link It with US Election Fraud

‘Vatican Blackout’ Trends on Twitter as Trigger-Happy Users Try to Link It with US Election Fraud

January 10, 2021
Global Food Authenticity Industry

Fifth Third Bank Partners with Cardtronics to Enhance Brand Visibility in Carolinas through ATM Branding Program

February 4, 2020
Horowitz: Asian-American researcher fired from Michigan State administration for advancing facts about police shootings

Horowitz: Asian-American researcher fired from Michigan State administration for advancing facts about police shootings

July 8, 2020
Digital Learning Market 2020 industry report explores segmented by growth opportunities, emerging-trends, and industry verticals till 2025

Online Brand Protection Software Market report reviews size, share, analysis, trends, growth and forecast 2025

March 6, 2020
Survey finds 40% of fashion brands have not paid suppliers | Apparel Industry News

Survey finds 40% of fashion brands have not paid suppliers | Apparel Industry News

May 29, 2020

EDITOR'S PICK

Loonie Drops, USD/CAD Turn or Burn?

USD/CAD Range Remains for Now

July 14, 2020
Global Metallic Paint Coating Industry 2020 Market Research With Size, Growth, Manufacturers, Segments And 2026 Forecasts Research – StartupNG

Disposable Ostomy Bags Market 2020 Size By Product Types, End-Users, Regional Outlook, Growth Potential, Price Trends And Forecast To 2026

October 29, 2020
How Coronavirus Pandemic Will Impact Neonatal Infant Care Equipment Market Price Analysis 2019-2026 – Distinct Analysis & Reports

How Coronavirus Pandemic Will Impact Neonatal Infant Care Equipment Market Price Analysis 2019-2026 – Distinct Analysis & Reports

May 22, 2020
Why Amazon will earn fashion cred in 2020 – Glossy

Why Amazon will earn fashion cred in 2020 – Glossy

January 2, 2020

Categories

  • Consumer Research
  • Data Analysis
  • Data Collection
  • Industry Research
  • Latest News
  • Market Insights
  • Marketing Research
  • Survey Research
  • Uncategorized

Recent Posts

  • Data Of 3 Lakh Users Leaked From Indian Crypto Exchange BuyUCoin
  • Distribution of the ACE1 D Allele in the Bosnian-Herzegovinian Population and its Possible Role in the Regional Epidemiological Picture of COVID-19
  • Thick Film Heaters Market Introducing New Industry Dynamics Through Swot Analysis 2021| Chromalox, Ferro Techniek, WATLOW, Noritake, NIBE – KSU
  • Privacy Policy
  • Terms of Use
  • Antispam
  • DMCA
  • Contact Us

Copyright © 2020 Globalresearchsyndicate.com.

No Result
View All Result
  • Latest News
  • Consumer Research
  • Survey Research
  • Marketing Research
  • Industry Research
  • Data Collection
  • More
    • Data Analysis
    • Market Insights

Copyright © 2020 Globalresearchsyndicate.com.

Login to your account below

Forgotten Password?

Fill the forms bellow to register

All fields are required. Log In

Retrieve your password

Please enter your username or email address to reset your password.

Log In